Linux Containers: an Emerging Cloud Technology
Total Page:16
File Type:pdf, Size:1020Kb
Linux Containers: An Emerging Cloud Technology Asad Javed Aalto University Department of Computer Science Abstract—Linux containers, commonly known as LXC, has system becomes more efficient in terms of processing, and become a popular approach for creating virtual environment applications run in an isolated form irrespective of the other inside a large computer system. It is a lightweight virtualization applications [7] [8]. infrastructure, which creates multiple virtual Linux systems simultaneously on a single host machine. Linux kernel features The rest of the paper is organized as follows. Section II are used to provide isolated environment for applications within describes the difference between traditional hypervisor-based multiple systems. The main goal of LXC is to create environment virtualization and LXC approach. Section III presents kernel as close as possible to the standard Linux system, thus providing features which are used by containers in order to provide scalable and performance efficient systems, thereby considering isolation and scalability. An application of LXC named Docker as an emerging cloud technology. along with its usage will be illustrated in Section IV. Finally, This paper presents a thorough survey about LXC along with the paper ends with a conclusion in Section V. In addition, a two well-known and important kernel features including separate document has been provided [16] which demonstrates namespaces and cgroups. In this paper, the comparison between LXC and how to use them with proper commands. container-based and hypervisor-based virtualization is also been made in order to completely understand this phenomenon. At the end, Docker platform is explained which is an open source II. COMPARISON BETWEEN HYPERVISOR AND CONTAINERS project and a running application of Linux containers. Despite the fact that virtualization offers huge amount of benefits, there is still a difference between hypervisor-based Keywords—linux, namespaces, kernel, cloud, cgroups, docker and container-based virtualization, where the latter one provides greater efficiency [8] [9]. The comparison is shown in I. INTRODUCTION Fig. 1. In recent years, virtualization has become very popular in large distributed systems, since the need of making the whole App App App App system efficient become evident. With the advent of distributed systems and cloud computing, there happens to be a virtualized Binaries/ Binaries/ Libraries Libraries environment in almost every data centers. Due to this emergence, there are many software solutions such as VMware Guest OS Guest OS [1] which provides cloud and software services, Xen [2] that provides services based on a microkernel design, Kernel Virtual Machine Virtual Machine Virtual Machine (KVM) [3] that also provides full virtualization, and Hyper-V [4] which is specifically for Hypervisor windows server. These solutions are known as hypervisor- based virtualization and also considered efficient as they have Host Operating System many features. Some of the features includes portability, easier backups, isolation, security, and migration to cloud [5]. Due to Server large number of benefits, virtualization can also be considered as a foundation of cloud technology. (a) Hypervisor based virtualization Although, virtualization provides efficiency and scalability but there is also a resource overhead when it comes to App App App App traditional virtualization. At that point, Linux container-based virtualization (LXC) come into practice. This approach has a Binaries/ Binaries/ different context as compared to hypervisor. It is the operating Libraries Libraries system level virtualization, unlike hypervisor which is a Container Container hardware-level virtualization, and creates multiple system on a single host. Conceptually, it can be considered as a lightweight Host Operating System virtualization because applications run in a separate container that shares the resources of the host operating system [5] [6]. Server The whole execution environment such as libraries, file system, scripts, application, and operating system are put in a container (b) Linux containers and then executed over a single host. Through that way, the Fig.1. Hypervisor vs Linux containers According to Fig. 1(a), it can be seen that there is a separate III. KERNEL FEATURES layer of hypervisor running on top of a host operating system. In order to provide more isolation in container-based This layer consists of a virtual machine monitor that provides virtualization, there are six kernel features which LXC can use. full abstraction of virtual machines, which then act as a guest These are: namespaces, cgroups, SELinux profiles, Seccomp OS. In that case, all created VMs are isolated from each other policies, chroots, and kernel capabilities [6]. Two of them are and act as a separate OS on top of the physical host. Due to this the most important features which are discussed below. hypervisor, every VM has its own kernel which makes the application more expensive. Moreover, all the binaries and A. Namespaces libraries are also created along with a kernel, which is of course a great overhead in terms of resource allocation [7] [9]. Unlike The main purpose of using namespaces is to provide per any hypervisor-based system, there is another lightweight process isolation within containers, and wraps a global system virtualization based on Linux containers. LXC removes that resource in an abstraction. It ensures that the processes are overhead and provide a full-fledge OS in the form of assigned to same namespace and run in only that space without containers. It can be seen from Fig. 1(b). The kernel of host OS interfering with other processes. It also ensures isolation within is shared between all containers, thus able to run many containers and guarantees that the containers only sees their processes in an isolated fashion [7] [8]. own environment. Currently, there are six namespaces inside Linux implementation, which are described below [11] [12]. There are many benefits of using container based virtualization which distinguishes it from the traditional a) Mount namespaces (mnt): It allows the processes to hypervisor based virtualization [10]. Some of the benefits are have different view of the filesystem mount points. The described below: processes which are in separate mount namspaces have their own filesystem layout different than the other processes. Thus A. Portability providing the isolation to the set of filesystems. Since LXC are portable so it can be run in any environment without changing the functionality. The applications running in b) UTS namespaces (uts): This namespace feature allows a container can also be bundled together in a single unit and conatiners to have their own hostnames. It isolates two types then deployed and separated into another environment. of system identifiers; nodename and domainname, which are separate for every conatiner. B. Scalibility LXC can run on any Linux system and then scale up from c) PID namespaces (pid): It allows the processes to have one to hundred and then scale it down. Another interesting different IDs by assigning different processing identifiers. factor is the deployment from physical system into the cloud Thus providing isolation on a number space. The processes and then back to the system again. Thus, containers can be which are in a different namespaces can have same IDs but easily suited for a public cloud platforms with scale out hidden from each other. Process which is in parent namespace applications. can still see other process in the child namespace. C. Isolation d) IPC namespaces (ipc): This namespace offers isolation It provides a complete isolation between the processes of the inter-process communication resources (such as POSIX running in a container. It also provides isolation within message queues and System V IPC objects) between multiple containers. For that, it uses two separate kernel namespaces. features namespaces and cgroups which will be discussed in section 3. e) User namespaces (user): It allows processes to have different user and group IDs. Thus providing isolation outside D. Flexibilty and inside a user namespace. As there is no overhead while creating containers, so it has a flexibility to share multiple resources of the host operating f) Network namespaces (net): It provides isolation of system between different guests. Moreover, building, networking resources and each container has its own network developing, and deploying new containers are easy, which in devices. Thus, each network space contains separate routing turn reduces time and providing good visibility. tables, iptables firewalls, and network interface controllers. Apart from all the benefits, there are two features which are B. Cgroups (Control groups) still better in hypervisor based machines. These are security Control groups, known by cgroups, is the main kernel and isolation. Hypervisors provides more security as compared feature that allows the processes to limit and isolate resource to containers because it has attack barriers functionality [5]. usage such as CPU time, system memory, disk bandwidth, For isolation, the container-based virtualization is supposed to network bandwidth, and monitoring. LXC uses these sub- have a weaker isolation, as it works on OS-level and shares resources of cgroups to assign different features within separate most of the resources of host operating system. However, from containers. The features usage is demonstrated in section 8 of the user’s